On Sun, Jan 26, 2025 at 12:11:21AM +1100, duluxoz via Postfix-users wrote: > ... so no, there's no separate "mail-hub" / "edge-mail-gateway" set-up > - its all the one box with the haproxy box sitting in-front.
Understood, that makes the consolidated edge/hub/submission/... server somewhat more complex to configure, but certainly not impossible. > I suppose any internal email headers could be translated to a generic > "reply-to" email address in one of the external-facing domains - I'm pretty > sure management doesn't want any reference to internal mail addresses going > out to non-organisation-controlled domains - to be honest, I don't think > they thought things through that much; all they want is to stop the internal > emails going out of the email server. Yes, but they very likely don't understand the difference between envelope and header addresses, and primarily were imaginging not leaking internal header addresses out the door, more than envelope sender addresses. But access rules, ... primarily operate on the envelope, and parsing headers addresses is not something Postfix access rules can do. It'd have to be either canonical_maps to rewrite or content inspection to reject (content filters, milters, ...). > I might be able to convince them to put in a mail-hub (most of the boxes are > VMs anyway; yay for Proxmox/Ceph): which doco (in particular) should I be > reading up on to design/implement this type of set-up? You can look at https://www.postfix.org/MULTI_INSTANCE_README.html, otherwise it is just about configuring internal systems to send all mail first to an internal MTA, which is the only one forwarding to to the gateway MTA (logical host, or even Postfix instance on a separate IP or port, but same physical box and perhaps same VM, if instance). > And does it have to be a separate box, or just a 2nd instance of > postfix on the existing mail-stack server? Up to you, but a 2nd instance requires a second internal IP address to listen on port 25, unless a different port is acceptable for the internal mailhub. > When I originally asked my Q I was thinking along the lines of a "sending > domain blacklist" to be checked somewhere in smtpd_relay_restrictions, but I > didn't say anything because I didn't want to "pollute" peoples mindsets > if/when they replied... Your main problem is actually headers, the envelope rules are easy. smtpd_sender_restrictions = check_sender_access inline:{ { whaterver.internal = reject_unauth_destination } } But if you have an internal mailhub, then the edge system would never see mail coming in whose direct (prior to rewriting) recipients are internal (the mailhub would have routed those internally) so can just reject that sender domain. However, header addresses still need to be handled. The mailhub can also define an appropriate "smtp_generic_maps" for the master.cf "smtp/unix" entry that forwards to the gateway, meaning the gateway does not need the canonical mapping, but might still want a milter or similar to reject mail that somehow retains internal addresses in: From:, To:, Cc:, Reply-To:, Mail-Followup-To:, Resent-From:, Resent-To:, Resent-Cc: (perhaps that's the lot?). I am a big fan of keeping each thing simple by dividing responsibility, others prefer to have a single, even if complex to reason about thing. Your choice, but this is more complex than it may seem at first blush either way. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
